b"                                                          IG-01-008\n\n\n\n\nREVIEW\n                               REVIEW OF THE COLLECTION OF\nREPORT                     PERSONALLY IDENTIFIABLE INFORMATION\n                                    ON NASA\xe2\x80\x99S WEB SITES\n                                      February 16, 2001\n\n\n\n\n                           OFFICE OF INSPECTOR GENERAL\n\n\nNational Aeronautics and\nSpace Administration\n\x0cAdditional Copies\n\n\nTo obtain additional copies of this report, contact the Assistant Inspector General for\nAuditing at (202) 358-1232, or visit www.hq.nasa.gov/office/oig/hq/issuedaudits.html .\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Assistant Inspector General\nfor Auditing. Ideas and requests can also be mailed to:\n\n        Assistant Inspector General for Auditing\n        Code W\n        NASA Headquarters\n        Washington, DC 20546-0001\n\nNASA Hotline\n\nTo report fraud, waste, abuse, or mismanagement contact the NASA Hotline at (800)\n424-9183, (800) 535-8134 (TDD), or at ww.hq.nasa.gov/office/oig/hq/hotline.html#form; or write\nto the NASA Inspector General, P.O. Box 23089, L\xe2\x80\x99Enfant Plaza Station, Washington,\nDC 20026. The identity of each writer and caller can be kept confidential, upon request,\nto the extent permitted by law.\n\nReader Survey\n\nPlease complete the reader survey at the end of this report or at\nww.hq.nasa.gov/office/oig/hq/audits.html .\n\n\n\n\nAcronyms\n\nIP               Internet Protocol\nOMB              Office of Management and Budget\nPCIE             President's Council on Integrity and Efficiency\n\x0cW                                                                  February 16, 2001\n\n\nTO:           AO/Chief Information Officer\n\nFROM:         W/Assistant Inspector General for Auditing\n\nSUBJECT:      Final Report on the Review of Collection of Personally Identifiable\n              Information on NASA\xe2\x80\x99s Web Sites\n              Assignment Number A0101400\n              Report Number IG-01-008\n\n\nThe subject final report is provided for your use and comment. Please refer to the Results\nin Brief section for the overall review results. Our evaluation of your responses has been\nincorporated into the body of the report. Because management did not agree that certain\ncorrective actions were needed and did not provide sufficient information to support its\nposition on other recommendations, we request additional information as described in the\nreport by March 16, 2001.\n\n\nIf you have questions concerning the report, please contact Mr. Gregory B. Melson,\nDirector, Information Assurance Audits, at (202) 358-2588, or Mr. Ernest L. Willard,\nProgram Manager, at (650) 604-2676. We appreciate the courtesies extended to the audit\nstaff. The final report distribution is in Appendix C.\n\n\n[original signed by]\nRussell A. Rau\n\n\n\nEnclosure\n\ncc:\nB/Acting Chief Financial Officer\nB/Comptroller\nBF/Director, Financial Management Division\nG/General Counsel\nJM/Director, Management Assessment Division\n\x0c                2\nbcc:\nAIGA Chron\nW/B. Melson\n   E. Willard\n   N. Cipolla\n\x0c                            NASA Office of Inspector General\n\nIG-01-008                                                                         February 16, 2001\n A0101400\n\n         Review of Collection of Personally Identifiable Information\n                           on NASA\xe2\x80\x99s Web Sites\n\nIntroduction\n\nOnline privacy has emerged as one of the key and most contentious issues surrounding\nthe continued evolution of the Internet. The World Wide Web requires the collection of\ncertain data from individuals who visit Web sites in order for the site to operate properly.\nHowever, collection of even the most basic data can be controversial because of the\npublic\xe2\x80\x99s apprehension about the type of information collected and how it could be used.\n\nFederal agency Web sites are governed by specific laws designed to protect an\nindividual\xe2\x80\x99s privacy when agencies collect personal information. 1 The laws require that\nagencies (1) do not disclose personal information obtained without the individual's\nconsent, (2) grant access to the individual of his/her own records 2 under certain\ncircumstances, and (3) provide protection against disclosure and loss of personal\ninformation.\n\nPublic Law 106-554 enacted December 16, 2000, requires the NASA Office of Inspector\nGeneral to report any activity related to the collection of personal information on\nNASA\xe2\x80\x99s publicly accessible Internet Web sites. Specifically, the law requires the\nInspector General to report to the Congress any NASA activity relating to:\n\n         (1) the collection or review of singular data, or the creation of aggregate lists\n             that include personally identifiable information, about individuals who\n             access any Internet site of the department or agency; and\n\n         (2) entering into agreements with third parties, including other government\n             agencies, to collect, review, or obtain aggregate lists or singular data\n             containing personally identifiable information relating to any individual\xe2\x80\x99s\n             access or viewing habits for governmental and nongovernmental Internet\n             sites.\n\nThe report is due to the Congress by February 16, 2001.\n\n\n\n1\n  We interpreted personal information as information that could be tracked to the individual Web site\nvisitor such as name, street address, e-mail address. Our interpretation was based, in part, on information\nfrom the Office of Management and Budget, the General Accounting Office and congressional staff.\n2\n  In this case an individual\xe2\x80\x99s own records are those with personal information under the control of any\nFederal agency from which information is retrieved by the name of the individual or by some identifying\nnumber, symbol, or other identifying particular assigned to the individual.\n\x0cThe Office of Management and Budget (OMB) has issued additional guidance on Internet\nprivacy issues directing agencies to post on Federal sites the privacy policies and\nguidelines for the collection of personal information.\n\nThe objective of our review was to address the Public Law 106-554 reporting\nrequirement. For our limited review, we tested a sample of 49 publicly accessible NASA\nWeb sites and reviewed about 600 Web pages3 within those sites. We also obtained\nwritten representation from NASA management regarding third-party agreements to\ncollect, review, or obtain personal information relating to Web site visitors' access or\nviewing habits. Our scope did not include coverage of contractors\xe2\x80\x99 commercial Web\nsites that may provide information on NASA programs supported by those contractors.\nSee Appendix A for details on our objective, scope, and methodology.\n\nResults in Brief\n\nFor the 49 publicly accessible Web sites we visited, we found that none collected without\nthe user\xe2\x80\x99s permission, 4 personally identifiable information from individuals visiting the\nAgency\xe2\x80\x99s Web sites. Some of the sites we visited gather Internet Protocol (IP) addresses 5\nof visitors for security purposes. IP addresses could aid in identifying a Web site user,\nbut are not considered personal information. NASA has not entered into third-party\nagreements to collect, review, or obtain personally identifiable information relating to an\nindividual\xe2\x80\x99s access or viewing habits for Internet sites. However, we found three\npersistent cookies 6 in use at the sites we visited. While these cookies do not collect or\nstore personal information, NASA\xe2\x80\x99s use of the cookies and its Privacy Statement 7 are not\nin full compliance with Federal policies. Additionally, the management of publicly\naccessible Web sites needs improvement. Without improvements in its privacy policies\nand practices, NASA cannot ensure adequate protection of the privacy rights of its Web\nsite visitors.\n\n\nBackground\n\nNASA uses Web-based technology to provide interfaces to a wide variety of resources\nand information. NASA employees, NASA contractors, researchers, and the general\npublic use these resources and information. To service the public, NASA maintains\n\n3\n  A Web page is a file on the World Wide Web.\n4\n  Some NASA sites may ask visitors to voluntarily provide personal information, for example, to respond\nto the visitor\xe2\x80\x99s questions or to register for opportunities available at a site.\n5\n  An IP address is an identifier for a computer or device on an Internet protocol network.\n6\n  Cookies are text files saved in the browser\xe2\x80\x99s directory or folder. There are two types of cookies -- session\nand persistent. A session cookie is automatically deleted when the user\xe2\x80\x99s browser is closed. A persistent\ncookie is a small text file placed on a consumer\xe2\x80\x99s computer hard drive by a Web server. The cookie\ntransmits information back to the server that placed it and, in general, can be read only by that server.\n7\n  A Privacy Statement contains an agency\xe2\x80\x99s privacy policy. The policy must clearly and concisely inform\nvisitors to the site what information the agency collects about individuals, why the agency collects it, and\nhow the agency will use it. Privacy policies must be clearly labeled and easily accessed when someone\nvisits a Web site.\n\n                                                      2\n\x0cabout 2 million Web pages. The Agency Web sites are among the most visited of all\nGovernment sites. For example, the main Agency site alone received a total of 64.1\nmillion visits during the year 2000. As a result NASA is considered a high-impact8\nagency.\n\n\nNASA Privacy Policies\n\nFinding. Our limited review showed that none of the NASA publicly accessible Web\nsites tested were collecting personal information without disclosure to the Web site\nvisitor. Also, NASA management stated that the Agency had not entered into third-party\nagreements to collect, review, or obtain personally identifiable information relating to\nany individual\xe2\x80\x99s access or viewing habits for Internet sites, and our review did not\ndisclose evidence of such third-party agreements.\n\nHowever, several privacy issues require management\xe2\x80\x99s attention. The persistent cookies\nwe found on NASA\xe2\x80\x99s Web sites were not in full compliance with related OMB policies.\nAlso, NASA\xe2\x80\x99s Privacy Statement does not contain all the OMB-required elements, and\nimprovements are needed on the management of publicly accessible Web sites. Without\nimprovements in its privacy policies and practices, NASA cannot ensure adequate\nprotection of the privacy rights of its Web site visitors.\n\n\nUse of Persistent Cookies\n\nNASA\xe2\x80\x99s publicly accessible Web sites use of persistent cookies is not in compliance with\nOMB policies. OMB Memorandum M-99-18, \xe2\x80\x9cPrivacy Policies on Federal Web Sites,\xe2\x80\x9d\ndated June 2, 1999, provides guidance on Internet privacy issues, directing agencies to\npost on principal Federal Web sites 9 the privacy policies that disclose the information\nbeing collected, why it is collected, and how it will be used. Additionally, OMB\nMemorandum M-00-13, \xe2\x80\x9cPrivacy Policies and Data Collection on Federal Web Sites,\xe2\x80\x9d\nissued June 22, 2000, provides guidance concerning data collection on Federal Web sites\nusing Web technology that can track the activities of users over time and across different\nWeb sites. One of the most commonly used Web-based technologies to store personal\ninformation without the user\xe2\x80\x99s consent is the persistent cookie. OMB policy states that\npersistent cookies should not be used unless there is a clear and conspicuous notice, a\ncompelling need to gather the data on the site, appropriate and publicly disclosed\nsafeguards for handling information derived from cookies, and approval by the head of\nthe agency. The guidelines are applicable even if the persistent cookie does not contain\npersonally identifiable information.\n\n\n8\n  According to the National Partnership for Reinventing Government, high-impact agencies handle 90\npercent of the Federal Government\xe2\x80\x99s contact with the public.\n9\n  Principal Web sites are Internet sites designed as the major entry point for the Agency sites. These\ninclude the Agency\xe2\x80\x99s home page and any Web page that receives a high number of visits.\n\n                                                     3\n\x0cWe reviewed a total of 49 principal Web sites during January 2001. We selected 28 sites\nfrom NASA\xe2\x80\x99s most active and visible publicly accessible Web sites list. Additionally,\nwe searched the Internet and judgmentally selected and tested a total of 20 public access\nWeb sites for Kennedy Space Center and Ames Research Center. We also tested the\nOffice of Inspector General Web site. We visited about 600 Web pages related to the 49\nprincipal Web sites visited. We tested all the sites to determine whether the sites (1)\ncollected any personally identifiable information and (2) posted a Privacy Statement\nconsistent with OMB privacy guidelines. Three NASA sites we reviewed contained\npersistent cookies. We requested written assurances from NASA management about\nwhether use of the persistent cookies complied with the OMB requirements. In response\nto our review, management disabled one of the three persistent cookies. In all three\ncases, the cookies did not contain personally identifiable information. However, none of\nthe persistent cookies we identified fully complied with the OMB requirements. For\nexample, no clear and conspicuous notice of their use was given, and the NASA\nAdministrator had not approved the use of any of the cookies. In one case, management\nstated that NASA should pursue a waiver from the OMB requirements for persistent\ncookies that do not store any personally identifiable information. Management\xe2\x80\x99s written\nresponses did not indicate why the persistent cookies were not in compliance with OMB\npolicies.\n\nThird-Party Agreements\n\nNASA management provided written assurance to the Office of Inspector General that it\nhas no third-party agreements to collect, review, or obtain personally identifiable\ninformation relating to an individual\xe2\x80\x99s access or viewing habits for Internet sites. Also,\nwe found no third-party persistent cookies at any of the sites visited during our review.\n\nHowever, one Center\xe2\x80\x99s main Web site contains a link to its Visitor Complex where\ntickets for visitor attractions may be purchased. This link is to a commercial domain 10\nsite operated by a NASA contractor. This site contains further links providing\ninformation for visitors who are interested in purchasing tickets. Ultimately, a form is\ndisplayed requesting the personal information (name, address, etc.) necessary to complete\na ticket purchase.\n\nThe site where the purchase form is located is in the domain of yet another commercial\nentity. This site is a commercial Web site with a privacy policy, which states that the\nNASA contractor will not sell the personal/credit information to any third party.\nHowever, the policy states that the contractor reserves the right to sell, trade, or rent the\nuser\xe2\x80\x99s email address.\n\n\n\n\n10\n  A commercial domain is a group of computers and devices on a network that are administered as a unit\nwith common rules and procedures. Within the Internet, domains are defined by their IP address. All\ndevices sharing a common part of the IP address are said to be in the same domain (for example, the\nnasa.gov domain).\n\n                                                   4\n\x0cThere is no warning to the visitor when he or she departs the NASA domain and enters\nthe series of commercial (.com) sites. 11 Further, each of these commercial domain pages\nhas the NASA Center's name prominently displayed at the top of the page and generally\nresembles the NASA Center site in appearance. Accordingly, the NASA visitor may not\nrealize that he or she has left the NASA Web site and is now providing detailed personal\ninformation to an entity other than NASA. NASA\xe2\x80\x99s Web sites should clearly indicate to\nusers when they are about to leave an Agency Web site to link to an outside site.\n\nNASA\xe2\x80\x99s Web Site Privacy Statement and OMB Policies\n\nNASA\xe2\x80\x99s Web site Privacy Statement does not fully implement OMB policies regarding\nInternet privacy. OMB Memorandums M-99-18 and M-00-13 require every Federal Web\nsite to include links to the agency\xe2\x80\x99s privacy policy statement. NASA\xe2\x80\x99s policy also\nrequires links to the NASA Privacy Statement. However, during our test, we noticed\nseveral sites that did not include a link to the NASA Privacy Statement.\n\nOMB policy states that each Privacy Statement must clearly inform Web site visitors as\nto what information the agency collects about individuals, why the agency collects it,\nhow the agency will use it, and give clear and conspicuous notice if cookies are used.\nNASA\xe2\x80\x99s Privacy Statement does not address how the Agency will use an individual\xe2\x80\x99s\ninformation. For example, the Privacy Statement provides no assurance that no further\nuse, other than the one intended or as necessary for security reasons, will be made of\ninformation visitors provide on NASA\xe2\x80\x99s Web sites. Also, the statement does not address\nthe use of cookies and does not specifically inform visitors that NASA is not responsible\nfor the collection practices of the links it provides on its Web sites. However, some of\nthe Centers\xe2\x80\x99 sites used modified versions of the NASA Privacy Statement that more fully\ncomply with OMB policies. For example, the Privacy Statement at the NASA KIDS\nWeb site 12 defines cookies and explains NASA's policy on using cookies. This Privacy\nStatement also discusses reasons for gathering IP addresses of site visitors. Also, the\nKennedy Space Center Privacy Statement 13 more clearly discusses use of personally\nidentifiable information. NASA should revise its Agencywide Privacy Statement to\nensure consistency and compliance with OMB privacy policies.\n\n\n\n\n11\n   An example of such a warning message can be found at the Marshall Space Flight Center (Marshall),\nWeb site. Prior to departing the site where a link to an external domain has been provided, this message\nappears:\n    You are now leaving the Inside Marshall Web site. Inside Marshall provides a link to this\n    external Web page because it may contain related information of interest to you. This link\n    does not constitute an endorsement by MSFC [Marshall] of any information, products or\n    services on this external Web site. You can return to Inside Marshall by using the Back\n    button on your Web browser.\n12\n   The NASA KIDS Web site is at http://kids.msfc.nasa.gov/Privacy.html.\n13\n   The Kennedy Web site is at http://www-pao.ksc.nasa.gov/kscpao/home/privacy.html.\n\n                                                     5\n\x0cManagement of Publicly Accessible Web Sites\n\nNASA does not require the maintenance of a consolidated Agencywide inventory of\nNASA\xe2\x80\x99s publicly accessible Web sites. Therefore, we were not able to reliably\ndetermine how many public sites are available, ownership of the sites, or whether the\nsites are in compliance with NASA\xe2\x80\x99s policies. We inquired about the process to approve\nand establish Web sites on NASA\xe2\x80\x99s servers. NASA\xe2\x80\x99s guidelines require supervisory\napproval authorizing release of information to the public. However, each Center decides\nhow to manage and control the publicly accessible Web sites, which can result in\ninconsistent approaches. Also, one Webmaster14 indicated that the establishment of a\npublic Web site could occur without supervisory approval. 15 NASA is considered a high-\nimpact agency. For example, the main Agency site alone received a total of 64.1 million\nvisits during the year 2000. NASA\xe2\x80\x99s popularity increases the importance of a consistent\napproach regarding control and management of Web sites available to the public. NASA\nhas not assessed whether all publicly accessible Web sites are in compliance with\napplicable Federal privacy laws and policies. The Agency is in the process of modifying\ninformation technology policies to provide more guidance on Internet issues. These\npolicies should require the establishment of a process to periodically assess whether\nNASA Web sites comply with applicable Federal privacy laws and policies.\n\n\nRecommendations, Management\xe2\x80\x99s Response, and Evaluation of\nResponse\n\nThe NASA Chief Information Officer should:\n\n1. Establish NASA policies regarding the use of persistent cookies as required by\n   OMB policies.\n\nManagement\xe2\x80\x99s Response. Concur. Management responded that NASA has adopted\nOMB policy as the Agency\xe2\x80\x99s policy, which it has issued to all NASA Centers.\nManagement will continue to assess the need for additional Agency policies. The\ncomplete text of management's response is in Appendix B.\n\nEvaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s comments are not responsive\nto the recommendation. NASA does not have a policy specifically addressing the use of\npersistent cookies at the Agency\xe2\x80\x99s public Web sites. As discussed in the finding section\nof the report, during our testing of NASA\xe2\x80\x99s public sites we found persistent cookies that\nwere not in compliance with OMB policies. For example, we found no evidence that the\nAgency had approved the use of persistent cookies. Accordingly, we request that\n\n\n14\n  A Webmaster is the individual managing a Web site.\n15\n  NASA Procedures and Guidelines 2800.1, \xe2\x80\x9cManaging Information Technology,\xe2\x80\x9d states that \xe2\x80\x9cSupervisory\napproval authorizing release of information to the public must be obtained in accordance with NASA's\n policies. The local NASA Office of Public Affairs should be consulted to determine what authorization is\nneeded.\xe2\x80\x9d\n\n                                                   6\n\x0cmanagement reconsider its position and provide additional comments in response to the\nfinal report. The recommendation remains unresolved and undispositioned.\n\n\n2. Establish procedures to monitor the use of persistent cookies to ensure\n   compliance with OMB policies.\n\nManagement\xe2\x80\x99s Response. Nonconcur. Management stated that the Centers are\nresponsible to ensure that Agency policy is being followed. Further, monitoring about 2\nmillion Web pages would not be cost-effective (see Appendix B).\n\nEvaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s comments are not responsive\nto the recommendation. System scanning tools are available that Webmasters can use to\nreadily identify cookies on their Web sites. Also, according to NASA policy, supervisory\napproval is required before establishing a publicly accessible Web site. Without\nprocedures and tools to monitor the use of persistent cookies, NASA cannot ensure\ncompliance with OMB policies. We request that management reconsider its position and\nprovide additional comments in response to the final report. The recommendation\nremains unresolved and undispositioned.\n\n\n3. Implement Web-based measures to provide clear and conspicuous message\n    warnings to users when leaving the Agency\xe2\x80\x99s sites. The message should disclaim\n    NASA\xe2\x80\x99s endorsements of the sites and should advise the user that NASA is not\n    responsible for any collection of personal information that may occur at Web\n    sites outside of its domain.\n\nManagement\xe2\x80\x99s Response. Concur. Management stated that current policy requires that\na disclaimer be displayed when a NASA site links to external sites. The disclaimer may\nappear on the pages listing external links or through an intermediate \xe2\x80\x9cexit notice\xe2\x80\x9d page\ngenerated by the server. The Centers are responsible for policy implementation.\nManagement will continue to assess the need for additional Agency policies and\nprocedures (see Appendix B).\n\nEvaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s comments are not responsive\nto the recommendation. During our testing of Agency Web sites, we found links to\ncommercial sites that looked very similar to Agency sites. No warning was displayed at\nthe point of departure to the commercial sites. In this case, the requirement to provide\nclear and conspicuous warnings was not met. We request that management provide\nadditional comments in response to the final report. The recommendation remains\nunresolved and undispositioned.\n\n\n4. Revise the NASA Web site Privacy Statement to:\n\n\n\n\n                                            7\n\x0c        \xe2\x80\xa2   Address the use of cookies, and give a clear and conspicuous notice\n            immediately prior to placing a persistent cookie on the user\xe2\x80\x99s computer.\n\n        \xe2\x80\xa2   Address the collection of IP addresses by stating any reasons for\n            collecting them and that any use of collected addresses conforms to OMB\n            policies.\n\n        \xe2\x80\xa2   State that no further use will be made of the information users provide\n            on a NASA Web site, except for the intended use and/or as required by\n            law or if it is pertinent to judicial or governmental investigations or\n            proceedings.\n\n        \xe2\x80\xa2   Expand the present disclaimer for links that are not part of the NASA\n            Web family, or nasa.gov domain, to state that NASA is not responsible\n            for the information collection practices of those sites and that users\n            should read any Privacy Satements at those sites.\n\nManagement\xe2\x80\x99s Response. Partially concur. Management stated that it will address\npossible revisions of the Web Privacy Statement but that it did not agree with the specific\nwording in the recommendation (see Appendix B).\n\nEvaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s comments are not responsive\nto the recommendation. The wording we recommended is already included in several\nNASA Web site Privacy Statements. However, the Privacy Statement displayed at the\nAgency\xe2\x80\x99s main site did not include any of the elements in our recommendation. We\nrequest that management provide additional information on how possible revisions for\nthe Privacy Statement will be addressed. The recommendation remains unresolved and\nundispositioned.\n\n\n5. Establish and maintain a consolidated inventory of the Agency\xe2\x80\x99s publicly\n   accessible Web sites.\n\nManagement\xe2\x80\x99s Response. Nonconcur. Management does not believe it is practical or\ncost-effective for the NASA CIO to establish or maintain an inventory of sites. Further,\nthe recommendation appears to be outside the scope of the review requested by Congress.\nHowever, NASA is looking at alternative approaches to manage the Agency\xe2\x80\x99s public\nWeb pages (see Appendix B).\n\nEvaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s comments are not responsive\nto the recommendation. Without an inventory of its Web sites, the Agency cannot\ndetermine whether the sites are in compliance with NASA\xe2\x80\x99s policies. We request\nadditional information on the alternative approaches planned for managing the Agency\xe2\x80\x99s\npublic Web sites and that management reconsider its position in response to the final\nreport. The recommendation remains unresolved and undispositioned.\n\n\n                                             8\n\x0c6. Emphasize NASA-wide procedures to establish and maintain publicly accessible\n   Web sites, and implement them consistently throughout the Agency.\n\nManagement\xe2\x80\x99s Response. Partially concur. Even though management is looking at\nalternative approaches for managing the Agency\xe2\x80\x99s public Web pages, management does\nnot agree that this process will necessarily result in the adoption of NASA-wide\nprocedures (see Appendix B).\n\nEvaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s comments are not responsive\nto the recommendation. We believe that without Agencywide procedures, the Centers\xe2\x80\x99\napproaches for managing and controlling their public Web sites could vary significantly\nand result in inconsistent implementation of policy. We request that management\nreconsider its position and provide additional comments in response to the final report.\nThe recommendation remains unresolved and undispositioned.\n\n\n\n\n                                            9\n\x0c              Appendix A. Objectives, Scope, and Methodology\n\nObjective\n\nThe objective of this review was to address the reporting requirement established by\nPublic Law 106-554. The law requires that the Inspector General report to the Congress\nany NASA activity relating to the collection of personally identifiable information by the\nAgency at its publicly accessible Web sites and any third party agreements made by the\nAgency, including those with other governmental agencies, to collect, review, or obtain\npersonally identifiable information through the Internet.\n\nScope and Methodology\n\nUsing Office of Management Budget (OMB) policy regarding Federal Web site privacy\nand data collection and guidance provided by the President's Council on Integrity and\nEfficiency (PCIE), we interpreted the congressional reporting requirement to be primarily\nconcerned with personally identifiable information collected from Agency Web sites\nwithout disclosure to the site visitor. The persistent cookie is a principal technology for\nstoring information about Web site visitors. Our review methodology was consistent\nwith an approach for reviewing use of cookies by Federal Web sites that the General\nAccounting Office recommended to the PCIE on February 2, 2001. In performing the\nreview, we obtained a list of NASA\xe2\x80\x99s most active and visible publicly accessible Web\nsites. We did not review the methodology NASA used in identifying the most visited\nsites. The list contained 54 of the most visited public sites; we judgmentally selected 28\nsites for testing. Additionally, we searched the Internet and judgmentally selected and\ntested a total of 20 public access Web sites for Kennedy Space Center (Kennedy) and\nAmes Research Center (Ames). The additional sites at Kennedy and Ames were not ones\nthat were on NASA's list of most visited sites. We also tested the Office of Inspector\nGeneral Web site during our review. We visited about 15 pages for each Web site to\ndetermine whether persistent cookies were in use. We tested a total of 49 Web sites and\nviewed about 600 Web pages associated with these sites. We were unable to determine\nthe total universe of NASA Web sites or pages because NASA management did not have\nreliable information available. We tested all the sites for use of persistent cookies and for\ncompliance with OMB Web site privacy policies as prescribed in OMB Memorandum\nM-00-13, issued June 22, 2000. We did not review for the use of other information\ncollection devices.\n\nFor sites in which persistent cookies were found, we inquired about whether the cookie\ncontained personally identifiable information. Also, we inquired about NASA\xe2\x80\x99s use of\ncookies in accordance with OMB policies.\n\nWe obtained management\xe2\x80\x99s written representation concerning any third-party agreements\nto collect, review, or obtain aggregate lists or singular data containing personally\nidentifiable information related to an individual\xe2\x80\x99s access or viewing habits for Web sites.\n\n\n\n                                             10\n\x0c                                                                            Appendix A\n\nAlthough we reviewed NASA\xe2\x80\x99s policies and tested numerous NASA Web sites operated\nby contractors, our scope did not include coverage of contractors\xe2\x80\x99 commercial Web sites\n(.com) that may provide information on NASA programs supported by those contractors.\nPolicy and procedures in this area will be the subject of a future audit.\n\nWe reviewed policy for the NASA Privacy Statement to determine whether the policy\nwas consistent with OMB guidelines.\n\nFollow-up work for some issues identified during our review will be included in the\nOffice of Inspector General FY 2002 Audit Plan.\n\nReview Field Work\n\nWe performed the field work for this review during January and February 2001.\n\n\n\n\n                                           11\n\x0cAppendix B. Management\xe2\x80\x99s Response\n\n\n\n\n               12\n\x0c     Appendix B\n\n\n\n\n13\n\x0cAppendix B\n\n\n\n\n             14\n\x0c                       Appendix C. Report Distribution\n\n\nNational Aeronautics and Space Administration (NASA) Headquarters\n\nA/Administrator\nAA/Chief of Staff\nAI/Associate Deputy Administrator\nB/Acting Chief Financial Officer\nB/Comptroller\nBF/Director, Financial Management Division\nC/Associate Administrator for Headquarters Operations\nG/General Counsel\nH/Associate Administrator for Procurement\nJ/Associate Administrator for Management Systems\nJM/Director, Management Assessment Division\nL/Acting Associate Administrator for Legislative Affairs\nM/Associate Administrator for Space Flight\nP/Acting Associate Administrator for Public Affairs\nQ/Associate Administrator for Safety and Mission Assurance\nR/Associate Administrator for Aerospace Technology\nS/Associate Administrator for Space Science\nU/Acting Associate Administrator for Life and Microgravity Sciences and Applications\nY/Associate Administrator for Earth Science\nZ/Acting Associate Administrator for Policy and Plans\n\n\nNASA Centers\n\nDirector, Ames Research Center\nDirector, John H. Glenn Research Center at Lewis Field\nDirector, Goddard Space Flight Center\n Chief Financial Officer, Goddard Space Flight Center\nDirector, Langley Research Center\n Chief Financial Officer, Langley Research Center\nDirector, John F. Kennedy Space Center\n Chief Counsel, Kennedy Space Center\nDirector, Lyndon B. Johnson Space Center\nDirector, John C. Stennis Space Center\nDirector, Jet Propulsion Laboratory\nDirector, Dryden Flight Research Center\nDirector, George C. Marshal Space Flight Center\n\n\n\n\n                                          15\n\x0cAppendix C\n\nNon-NASA Federal Organizations and Individuals\n\nAssistant to the President for Science and Technology Policy\nDeputy Associate Director, Energy and Science Division, Office of Management and\n  Budget\nBranch Chief, Science and Space Programs Branch, Energy and Science Division,\n  Office of Management and Budget\nDirector, Acquisition and Sourcing Management Team, General Accounting Office\nProfessional Assistant, Senate Subcommittee on Science, Technology, and Space\n\n\nChairman and Ranking Minority Member \xe2\x80\x93 Congressional Committees and\nSubcommittees\n\nSenate Committee on Appropriations\nSenate Subcommittee on VA, HUD, and Independent Agencies\nSenate Committee on Commerce, Science, and Transportation\nSenate Subcommittee on Science, Technology, and Space\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on VA, HUD, and Independent Agencies\nHouse Committee on Government Reform\nHouse Subcommittee on Government Management, Information, and Technology\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations\nHouse Committee on Science\nHouse Subcommittee on Space and Aeronautics\n\n\nCongressional Member\n\nHonorable Pete Sessions, U.S. House of Representatives\n\n\n\n\n                                          16\n\x0c               NASA Assistant Inspector General for Auditing\n                              Reader Survey\n\nThe NASA Office of Inspector General has a continuing interest in improving the\nusefulness of our reports. We wish to make our reports responsive to our\ncustomers\xe2\x80\x99 interests, consistent with our statutory responsibility. Could you help us\nby completing our reader survey? For your convenience, the questionnaire can be\ncompleted electronically through our homepage at\nhttp://www.hq.nasa.gov/office/oig/hq/audits.html or can be mailed to the Assistant\nInspector General for Auditing; NASA Headquarters, Code W, Washington, DC\n20546-0001.\n\n\nReport Title: Review of the Collection of Personally Identifiable\n              Information on Nasa\xe2\x80\x99s Web Sites\n\nReport Number: IG-01-008                      Report Date: February 16, 2001\n\n\nCircle the appropriate rating for the following statements.\n\n                                             Strongly                                Strongly\n                                              Agree     Agree   Neutral   Disagree   Disagree   N/A\n                                                5        4        3          2          1       N/A\n1. The report was clear, readable, and\n   logically organized.\n2. The report was concise and to the            5        4        3          2          1       N/A\n\n   point.\n3. We effectively communicated the              5        4        3          2          1       N/A\n\n   audit objectives, scope, and\n   methodology.\n4. The report contained sufficient              5        4        3          2          1       N/A\n\n   information to support the finding(s)\n   in a balanced and objective manner.\n\nOverall, how would you rate the report?\n    Excellent           Fair\n    Very Good           Poor\n    Good\n\nIf you have any additional comments or wish to elaborate on any of the above\nresponses, please write them here. Use additional paper if necessary.\n\x0cHow did you use the report?\n\n\n\n\nHow could we improve our report?\n\n\n\n\nHow would you identify yourself? (Select one)\n\n       Congressional Staff                      Media\n       NASA Employee                            Public Interest\n       Private Citizen                          Other:\n       Government:            Federal:            State:          Local:\n\n\nMay we contact you about your comments?\n\n              Yes:______                           No:_____\n\n\n              Name:___________________________________\n\nThank you for your cooperation in completing this survey.\n\n\n\n\n                                          18\n\x0cMajor Contributors to This Report\n\nGregory B. Melson, Program Director, Information Assurance Audits\n\nErnest L. Willard, Audit Program Manager\n\nMindy N. Vuong, Auditor\n\nInes M. Salcedo, Auditor\n\nKeri Roberts, Auditor\n\nNancy C. Cipolla, Report Process Manager\n\nPatricia C. Reid, Program Assistant\n\n\n\n\n                                           19\n\x0c"